Earlier this Summer, the National Institute of Standards and Technology (NIST), a part of the US Department of Commerce, proposed a set of standards to address software supply chain attacks - and the growing need for better software security.
The recommendation is one we’re starting to see more and more of from government agencies - and something we certainly applaud.
NIST Secure Software Development Framework
NIST proposes a software design framework to support four key goals:
- Preparing the Organization
- Protecting the Software
- Producing Well-Secured Software
- Responding to Vulnerability Reports
“The practices provide flexibility for implementers, but they are also clear to avoid leaving too much open to interpretation,” says the whitepaper. NIST proposes several steps to serve each of the four goals.
For example, under “Producing Well-Secured Software,” NIST makes the following nine recommendations.
- Take Security Requirements and Risk Information into Account During Software Design
- Review the Software Design to Verify Compliance with Security Requirements and Risk Information
- Verify Third-Party Software Complies with Security Requirements
- Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality
- Create Source Code Adhering to Secure Coding Practices
- Configure the Compilation and Build Processes to Improve Executable Security
- Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
- Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
- Configure the Software to Have Secure Settings by Default
The whitepaper offers specific steps an organization should take to implement each recommendation - which is timely, as the Washington Post also revealed earlier this Summer that eight federal agencies failed to comply with ‘basic cybersecurity standards.’
A Push Toward Strong Cybersecurity Hygiene Practices
As we reported in the 2019 Software Supply Chain Report, a software supply chain’s construction is key to its integrity. Our report identifies the practices of exemplary teams - which first and foremost, involve understanding what’s in your software. Software suppliers who work with government agencies should proactively adopt these best practices before they’re forced to.
Like NIST, government agencies are racing to determine how to employ new policies and legislation to protect citizens, businesses and critical infrastructure. They’re beginning to recognize the growing importance of managing software supply chains with the same rigor and vigilance that they apply to supply chains carrying physical goods.
For example, in the 2019 SSC Report, we highlight the U.S. Department of Commerce, the U.S. Food and Drug Administration (FDA), and the U.S. House Energy and Commerce Committee - all of which make recommendations to enhance software security.
SBOMs and CBOMs
The Energy and Commerce Committee, for instance, stresses that suppliers offer a Software Bill of Materials (SBOM). SBOMs minimize supply chain risks because an inventory of open source software components makes possible remediation more efficient.
The authors from the Energy and Commerce Committee pointed out that it
“was not that organizations did not know which software was vulnerable… it was that they did not know which pieces of technology that they depended on included it. The SBOM minimizes the number of unknown unknowns with which organizations must contend, and greatly increases their ability to protect themselves, their users, and ultimately society.”
Similarly, the FDA released guidance for cybersecurity management of medical devices. The FDA’s report called for medical device manufacturers to present a Cybersecurity Bill of Materials (CBOM). The FDA report also suggested that manufacturers may be subject to legal liabilities tied to the distribution of a medical device with a known software vulnerability.
In our 2018 SSC report, we highlight even more government recommendations that yield strong protections.
Exemplary Example: Automated Policy Adherence
Another characteristic that sets exemplary teams apart is their use of automated tools. Specifically, automated policy tools improves security. “In our research, where security was automated most in the SDLC, we see 2x higher compliance ratio to those security policies,” says Derek Weeks, Sonatype Vice President.
Technology leaders in government are rising to the shifting threat landscape. There is still a need to improve, but optimism is warranted. Government recognizes the need to better secure the software and software supply chains that we rely upon. Government leaders are increasingly sharing best practices internally and intra-agency, as well as publishing guidelines for suppliers.
The NIST proposal is a strong step forward. Public comment on the proposal is open until August 5, 2019.